diff options
| -rw-r--r-- | pkgs/os-specific/linux/paxctl/default.nix | 2 | ||||
| -rw-r--r-- | pkgs/os-specific/linux/paxctl/setup-hook.sh | 8 | ||||
| -rw-r--r-- | pkgs/stdenv/generic/builder.sh | 1 | ||||
| -rw-r--r-- | pkgs/stdenv/generic/default.nix | 8 | ||||
| -rw-r--r-- | pkgs/stdenv/generic/setup.sh | 19 |
5 files changed, 16 insertions, 22 deletions
diff --git a/pkgs/os-specific/linux/paxctl/default.nix b/pkgs/os-specific/linux/paxctl/default.nix index 8e70ddd84349d..795ffa38ac4d3 100644 --- a/pkgs/os-specific/linux/paxctl/default.nix +++ b/pkgs/os-specific/linux/paxctl/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { "MANDIR=share/man/man1" ]; + setupHook = ./setup-hook.sh; + meta = with stdenv.lib; { description = "A tool for controlling PaX flags on a per binary basis"; homepage = "https://pax.grsecurity.net"; diff --git a/pkgs/os-specific/linux/paxctl/setup-hook.sh b/pkgs/os-specific/linux/paxctl/setup-hook.sh new file mode 100644 index 0000000000000..11a6bb9910f94 --- /dev/null +++ b/pkgs/os-specific/linux/paxctl/setup-hook.sh @@ -0,0 +1,8 @@ +# PaX-mark binaries. +paxmark() { + local flags="$1" + shift + + paxctl -c "$@" + paxctl -zex -${flags} "$@" +} diff --git a/pkgs/stdenv/generic/builder.sh b/pkgs/stdenv/generic/builder.sh index 60360e7b8256b..fd4c17ca25191 100644 --- a/pkgs/stdenv/generic/builder.sh +++ b/pkgs/stdenv/generic/builder.sh @@ -12,7 +12,6 @@ cat "$setup" >> $out/setup sed -e "s^@initialPath@^$initialPath^g" \ -e "s^@gcc@^$gcc^g" \ -e "s^@shell@^$shell^g" \ - -e "s^@needsPax@^$needsPax^g" \ < $out/setup > $out/setup.tmp mv $out/setup.tmp $out/setup diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix index f370aec88cf27..28a3c1e9f3b75 100644 --- a/pkgs/stdenv/generic/default.nix +++ b/pkgs/stdenv/generic/default.nix @@ -10,8 +10,6 @@ let lib = import ../../../lib; in lib.makeOverridable ( , setupScript ? ./setup.sh , extraBuildInputs ? [] - -, skipPaxMarking ? false }: let @@ -56,9 +54,6 @@ let inherit preHook initialPath gcc shell; - # Whether we should run paxctl to pax-mark binaries - needsPax = result.isLinux && !skipPaxMarking; - propagatedUserEnvPkgs = [gcc] ++ lib.filter lib.isDerivation initialPath; } @@ -181,6 +176,9 @@ let || system == "armv6l-linux" || system == "armv7l-linux"; + # Whether we should run paxctl to pax-mark binaries. + needsPax = isLinux; + # For convenience, bring in the library functions in lib/ so # packages don't have to do that themselves. inherit lib; diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh index e5fdbdf2d53b9..72db7dc6004fa 100644 --- a/pkgs/stdenv/generic/setup.sh +++ b/pkgs/stdenv/generic/setup.sh @@ -337,22 +337,9 @@ fi export NIX_BUILD_CORES -###################################################################### -# Misc. helper functions. - - -# PaX-mark binaries -paxmark() { - local flags="$1" - shift - - if [ -z "@needsPax@" ]; then - return - fi - - paxctl -c "$@" - paxctl -zex -${flags} "$@" -} +# Dummy implementation of the paxmark function. On Linux, this is +# overwritten by paxctl's setup hook. +paxmark() { true; } ###################################################################### |